PL-2: System Security and Privacy Plans

NIST Baseline:  Low 

Privacy Baseline:  Yes 

DIR Required By:  07/20/2023 

Review Date:  07/31/2024 

  • The Tarleton State University (Tarleton) Chief Information Security Officer (CISO), in coordination with information resource owners and custodians, must develop a System Security and Privacy Plan covering High Impact Information Resources that:  
    • Defines the system components that are authorized for operation by the information resource owner (see Control CM-8, System Component Inventory);  
    • Describes the business process(es) supported by the information resource;  
    • Identifies the individuals that fulfill system roles and responsibilities;  
    • Identifies the information types processed, stored, and transmitted by the system (see Texas A&M University System (TAMUS) Data Classification Standard);  
    • Provides the security categorization of the system, including supporting rationale (see Control RA-2, Security Categorization);  
    • Describes any specific threats to the system that are of concern to the organization;  
    • Provides the results of a privacy risk assessment for systems processing personally identifiable information (PII);  
    • Describes any dependencies on or connections to other systems or system components;  
    • Provides an overview of the security and privacy requirements for the system;  
    • Identifies any relevant control baselines or overlays, if applicable; and  
    • Describes the unique controls in place or planned that exceed the common security controls applied to all Tarleton information resources, including a rationale for any exceptions or tailoring decisions.  
  • Information resource owners or their designees are responsible for:  
    • Periodically reviewing and being familiar with the security plan; 
    • Providing any suggested/necessary updates needed to the security plan as changes occur to the information resource under their authority to the Tarleton CISO for final review and consideration so updates can be made to the security plan, as needed; and  
    • Distributing the plans and communicating any changes as appropriate to other authorized individuals impacted by such changes for the information resource under their authority. 
  • The Tarleton CISO shall: 
    • Distribute copies of the security plan and communicate changes to the plan as appropriate to authorized individuals; 
    • Review the security plan for the information systems biennially (every two years) and submit report to DIR; 
    • Update the plan to address changes to the information system, environment of operation, or issues identified during plan implementation or security control assessments; and 
    • Protect the security plan from unauthorized disclosure and modification. 

References/Additional Resources

1 TAC § 202.21(b)(1)  

1 TAC § 202.71(b)(1)  

Section 2054.133, Government Code 

TAMUS Data Classification Standard